Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Svchost.exe' = '"%APPDATA%\Microsoft\Svchost.exe"'
- %TEMP%\00.bat
- %TEMP%\0.exe
- %TEMP%\ARCCheat.exe
- %APPDATA%\Microsoft\Svchost.exe
- %APPDATA%\Microsoft\Svchost.exe
- %TEMP%\ARCCheat.exe
- '17#.#50.133.226':4431
- ClassName: 'EDIT' WindowName: ''
- '%TEMP%\0.exe' -pR120bb000F1PPqqA2K9D2kk0Kc9C0C133aw21h0d1q28h1d121d3412e31yyawfa -d%HOMEPATH%\Local Settings\Temp
- '%TEMP%\ARCCheat.exe'
- '%APPDATA%\Microsoft\Svchost.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\00.bat" "
- '<SYSTEM32>\cmd.exe' /C ping 1.1.1.1 -n 1 -w 3 > Nul & Del "%TEMP%\ARCCheat.exe"&"%APPDATA%\Microsoft\Svchost.exe"
- '<SYSTEM32>\ping.exe' 1.1.1.1 -n 1 -w 3